Monday, April 12, 2010

Dr. Ed Roberts dies

Dr. Ed Roberts, founder of MITS in Albuquerque, died Thursday, April 1, 2010. Dr. Roberts created the Altair 8800 computer and, in my opinion, sparked the personal computer revolution. He was 68. CNET article: http://news.cnet.com/8301-13860_3-20001616-56.html

Wednesday, December 2, 2009

Disabling the command prompt does NOT increase security

There is a configuration setting in the Windows operating system called "Disable the command prompt." It "prevents users from running the interactive command prompt, cmd.exe. This policy also determines whether batch files (.cmd and .bat) can run on the computer. If you enable this policy and the user tries to open a command window, the system displays a message explaining that a policy prevents the action" (copied and pasted from the Microsoft documentation).

This setting is a holdover from Windows 95/98 (which had no security), but it is completely pointless on Windows NT/2000/XP/2003/Vista and later. I can't think of a single good reason to disable the command prompt. Why? Because cmd.exe is a program, not a security boundary.

In the Windows operating system, a security boundary prevents a program from doing something, or prevents data from going somewhere, without authorization. If a user opens a command prompt (i.e., starts the cmd.exe program), the cmd.exe program is running as that user, just like any other program the user runs. The cmd.exe program does not somehow give the user the ability to do things they can't do otherwise. The user's account is the security boundary, not the command prompt.

I have seen many requests for technical help in various forums, and sometimes the answer to a problem involves typing commands at a command prompt. Occasionally, I will see a reply like: "That won't work, because we have disabled the command prompt." My suspicion is that some administrators think that disabling the command prompt somehow increases security, but because this is wrong, the only thing it accomplishes in cases like this is slowing down problem solving processes (thus increasing costs).

[Update 5/13/2015] - These comments also apply to running PowerShell. (I'm not talking about PowerShell's execution policy, which is a separate issue. I am talking about just running powershell.exe or powershell_ise.exe.)

Tuesday, September 1, 2009

Unchain office computers?

Yesterday, I was pointed to an article written by Farhad Manjoo on Slate titled Unchain the Office Computers! Apparently, Mr. Manjoo has never been responsible for maintaining a corporate network. For example, at the beginning of the article, he writes that people are less productive because
...at work they're stymied by the IT department, that class of interoffice Brahmins that decides, ridiculously and capriciously, how people should work.
By this, he seems to mean that IT is "ridiculous" and "capricious" because people some IT departments block people from installing whatever programs they want. This comment, which is itself ridiculous, reveals a large amount of ignorance. For example, on a Windows-based network, doing what Mr. Manjoo suggests requires giving all users Administrator-level control of their computers. Microsoft's official documentation says this is a bad idea and gives the reasons why. I can vouch for this with personal experience: I used to work in a large networked environment back in the Windows NT 4.0 days (1998-2000) where everyone had Administrator access, and the help desk team I worked with spent most of our day fixing user mistakes that would have been prevented if the users didn't have Administrator access. I fail to see how this will somehow increase productivity. I would argue that, in most cases, there will be a net productivity loss, particularly with unskilled users.

Mr. Manjoo's second mistake is in confusing the above issue (blocking program installation) with blocking Internet access. These are two separate issues for an organization, and should be addressed as such. He complains that all IT restrictions are arbitrary, but sometimes there's no nefarious intent by IT to prevent people from doing something--for example, suppose IT installs Internet monitoring software, but the monitoring software's default settings are too restrictive. Yes, this is a mistake IT should rectify, but my point is that not all Internet access blockages are intentional. In addition, sometimes it's simply user error. For example, I have heard complaints that "IT is blocking my web site" when in fact the user was typing an invalid web address.

My advice to Mr. Manjoo is not to write about an IT topic until he is properly informed about it. I wonder if he took the time to interview IT managers to find out the reasons for his complaints? (My guess is that he probably didn't.) Writing an uninformed article that confuses two broad issues (blocking program installation and blocking web sites) doesn't do anyone any favors and has the effect of unfairly casting IT in a bad light.

Thursday, April 19, 2007

IT Pro Townhall Meeting in Redmond

This week I've had the opportunity to take part in an IT Pro Townhall meeting up here in Redmond, which gave me the opportunity to "voice my concerns" about the Vista copy protection problem to other IT pros and even a couple of Microsoft folks. We'll see what happens from it.

In any case, I've had a great time meeting a number of people: Jeff Hicks from scriptinganswers.com (Sapien), Jeffrey Snover (Windows PowerShell team), Darren Mar-Elia (gpoguy.com), Mark Minasi (minasi.com), Susan Bradley (sbsdiva.com), Mark Burnett (the LogParser book guy), and last (but not least) Karen Forster, editorial and strategy director for Windows IT Pro magazine (she's the one that recommended me to go to the event). Our last session of the day was a short sit-down with Steve Ballmer, and a few people were able to ask him some questions. It was an interesting and informative event.

Not surprisingly, licensing seemed to be a recurrent pain for us all. One participant made the suggestion that if Microsoft, internally, had to deal with their own licensing schemes that the rest of us are forced to put up with, the problem would go away...

Monday, January 29, 2007

What's in a Name?

The Altair is sometimes regarded as the first personal computer. It was sold by MITS in Albuquerque, NM, USA, and Microsoft designed the first BASIC language for it. I never owned an Altair, but since its creation set in motion a chain of events that now provides my employment I thought it was suitable to pay homage.